From 11004c96ba72f709d54196ed9ce34b58d2cdcf84 Mon Sep 17 00:00:00 2001 From: egernug Date: Thu, 15 Jun 2023 11:44:50 +0100 Subject: Replace deprecated WebSecurityConfigurerAdapter WebSecurityConfigurerAdapter has been deprecated in Spring 2.7. Change needed to use SecurityFilterChain and InMemoryUserDetailsManager. Note: WebMvcTest does not autoimport configurations that use beans. Issue-Id: CPS-1742 Signed-off-by: egernug Change-Id: I100884f10beaac6ce87e603302280aeb78559017 --- .../org/onap/cps/config/WebSecurityConfig.java | 50 ++++++++++++++++------ 1 file changed, 37 insertions(+), 13 deletions(-) (limited to 'cps-application/src/main/java/org/onap') diff --git a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java index 93a3a6ed2b..aedc6a8d66 100644 --- a/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java +++ b/cps-application/src/main/java/org/onap/cps/config/WebSecurityConfig.java @@ -2,6 +2,7 @@ * ============LICENSE_START======================================================= * Copyright (c) 2021 Bell Canada. * Modification Copyright (C) 2021 Pantheon.tech + * Modification Copyright (C) 2023 Nordix Foundation * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -22,11 +23,14 @@ package org.onap.cps.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.provisioning.InMemoryUserDetailsManager; +import org.springframework.security.web.SecurityFilterChain; /** * Configuration class to implement application security. @@ -34,7 +38,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur */ @Configuration @EnableWebSecurity -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { +public class WebSecurityConfig { private static final String USER_ROLE = "USER"; @@ -60,23 +64,43 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter { this.password = password; } - @Override + /** + * Return the configuration for secure access to the modules REST end points. + * + * @param http the HTTP security settings. + * @return the HTTP security settings. + */ + @Bean // The team decided to disable default CSRF Spring protection and not implement CSRF tokens validation. // CPS is a stateless REST API that is not as vulnerable to CSRF attacks as web applications running in // web browsers are. CPS does not manage sessions, each request requires the authentication token in the header. // See https://docs.spring.io/spring-security/site/docs/5.3.8.RELEASE/reference/html5/#csrf @SuppressWarnings("squid:S4502") - protected void configure(final HttpSecurity http) throws Exception { + public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception { http - .csrf().disable() - .authorizeRequests() - .antMatchers(permitUris).permitAll() - .anyRequest().authenticated() - .and().httpBasic(); + .httpBasic() + .and() + .authorizeRequests() + .antMatchers(permitUris).permitAll() + .anyRequest().authenticated() + .and() + .csrf().disable(); + + return http.build(); } - @Override - protected void configure(final AuthenticationManagerBuilder auth) throws Exception { - auth.inMemoryAuthentication().withUser(username).password("{noop}" + password).roles(USER_ROLE); + /** + * In memory user authentication details. + * + * @return in memory authetication + */ + @Bean + public InMemoryUserDetailsManager userDetailsService() { + final UserDetails user = User.builder() + .username(username) + .password("{noop}" + password) + .roles(USER_ROLE) + .build(); + return new InMemoryUserDetailsManager(user); } } -- cgit 1.2.3-korg